The Information Commissioner's Office (ICO) has hit out at organisations that let temporary staff handle customers' personal information without giving them adequate data protection training first.
The data protection watchdog said the run up to the Christmas period typically results in an influx of temporary workers at companies across the UK who require the same data handling training as permanent members of staff.
Sally Anne Poole, enforcement group manager at the ICO, said: "The temporary nature of their employment doesn't absolve employers of their legal responsibilities for making sure people's information is being looked after correctly."
Poole's comments follow the news that Grand Ormond Street Hospital has been investigated by the ICO after four data breaches took place there between 28 January 2012 and 18 June 2013.
In all cases, the breaches involved letters detailing the treatment being administered to five patients being sent to the wrong address.
The ICO's investigation revealed that three out of four of the incidents related to the work of temporary staff who had received inadequate data protection training, even though the work routinely involved handling personal information.
It also discovered the hospital had no system in place to check if patient letters were being addressed to right people before they were sent out.
"If organisations are employing temporary or agency workers into positions that involve the handling and sending out of personal information they must make sure staff have received adequate data protection training," said Poole.
"Great Ormond Street Hospital for Children NHS Foundation Trust failed to do this and have now been required to sign an undertaking to improve their practices."
In a statement to IT Pro, Great Ormond Street Hospital said it takes the privacy of its patients "extremely seriously" and expressed regret that these four breaches had occured.
"We have responded by rapidly putting into place an action plan to ensure we have the necessary training and systems to keep all our patient information safe and secure," the statement read.
"This has included taking additional steps to ensure all staff, including temporary workers, have received comprehensive data protection training before working with any patient data. We have also introduced a new requirement for all staff to use a more centralised, regularly updated and accurate database of patient contact details, to ensure all correspondence is being sent to the correct address."
